NIST's new take on IoT security

By Mark Rockwell

Nov 15, 2016

NIST Fellow Ron Ross said the agency's new guidance "should be the start of a national dialogue" about deeper cybersecurity for internet-of-things devices.

The National Institute of Standards and Technology has released updated guidance on how to develop secure systems from the bottom up in the hopes of starting a national dialogue on the growing importance of cybersecurity in the age of the internet of things.

NIST Fellow Ron Ross called the agency's Special Publication 800-160 the "most important publication I've worked on" in his 20-year career at NIST.

Ross, U.S. CIO Tony Scott and U.S. Chief Information Security Officer Greg Touhill announced the publication's release at the Splunk GovSummit on Nov. 15.

It urges organizations -- including federal agencies and commercial equipment and service providers -- to address security throughout the systems engineering process rather than "bolting on" firewalls, encryption and monitoring systems to operating systems and applications after they are purchased.

The goal is to build security into IoT devices in the way that safety features, such as seat belts and air bags, have been engineered into automobiles.

NIST bumped up the release date for the publication in the wake of the Mirai malware attack that used IoT devices to overwhelm internet infrastructure provider Dyn with a flood of traffic.

Design weaknesses in IoT devices, including discoverable default passwords and unalterable hardwired credentials, allowed attackers to take control of the devices.

Scott said the NIST publication sets the stage for future cybersecurity development to eliminate basic design flaws in internet-facing devices, which include consumer goods and critical infrastructure systems.

IoT cybersecurity "should be high on the agenda" for the incoming administration, just as it was during the Obama administration, he added.

Touhill said the document marks the beginning of a shift in thinking for federal agencies, product and system manufacturers, and the public, which will go from being victims reacting to cyberattacks to taking a new proactive approach backed by baked-in security for the billions of existing and future devices on the IoT.

During a press conference after the announcement, Ross said NIST officials are eager to talk with the incoming Trump administration about the guidance.

"The election transition is going on now," he said. "We've been through this before. We'll give the new administration time to settle in and then we will engage."

Ross added that "it's always a new dialogue" whenever a new presidential administration comes in, "but in 20 years, computer security has always been a bipartisan issue."

Officials hope device, hardware and software engineers will incorporate the guidance into their work, Ross said, adding that the techniques can be adapted to waterfall or agile development.

NIST designed the guidance to be as welcoming as possible and avoided making it mandatory for federal agencies, along the lines of Federal Information Processing Standard 140-2, the official U.S. government computer security standard used to accredit cryptographic modules. Ross said that given the diverse community of users, a mandatory approach would have been difficult to implement.

The guidance "should be the start of a national dialogue" about deeper cybersecurity for IoT devices and how those devices are used, and "win hearts and minds" of engineers and users along the way, he said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Reader comments

Wed, Nov 30, 2016

This is not a new problem and CISOs have been arguing the point that until accountability is enforced there will be no "voluntary" acceptance of this standard. This standard and the press coverage of what needs to be done are weak and using "candy to get the baby..." or hoping vendors will adopt this, over making money for convenience with no accountability for insecure products ensures this will fail.

How many times have the people in the trenches informed leadership about risks, only to be silenced or ignored because some executive or customer would have to do an extra step like two factor? How many times has the leadership (elected officials in Govt, CEO, CIO etc.) truly been held accountable? Finally most IOT is consumer based, not designed for enterprise systems, try stopping a IOT procurement racked full of risks, that leadership knows about but for fear of political career survivability or convenience that leadership forces the staff in trenchs to impliment the IOT anyway.

Wed, Nov 23, 2016
WDC

"Bipartisan support of increased computer security" is very likely after the blow-back from this election. Neither party will want to risk public disclosure of future emails of inner political workings or third-party manipulation of electronic voting.
"Better security of IoT" and establishment of tech standards needs to be supported (perhaps lead) by the government, unfortunately NIST has already sacrificed some credibility with wrt privacy given their previous facilitation of purposely weak encryption standards in support of the NSA.
The last thing an informed citizen should want is a home full of government-accessible locks, listening & imaging devices. My stove, clothes washer, toaster, etc do not need to talk to the internet.

Fri, Nov 18, 2016
Karen Bannan for IDG and HP

"Officials hope device, hardware and software engineers will incorporate the guidance into their work, Ross said..."
That's great, except I don't think it's enough. Look at printers. There are plenty of standards out there and yet you still get breaches that originate from the printer. Printers are a huge security risk and many vendors aren't doing enough to secure their customers.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.